Here’s what I’m thinking might be a possible attack vector if I set everything properly: SPF, DKIM and DMARC. Let’s say I’m using some SaaS like MailChimp to send emails, they give me “include:spf.mailchimp.com” (I’m making this up) and DKIM keys or CNAME for DKIM. I also set up DMARC with a reject policy. Looks like I’m spoofing-proof.
But if an attacker somehow convinces that same SaaS (it’s easy to see which ones we’re using by checking DNS) to use our @legitcompany.com email address (for example if they don’t do email verification when setting up), then they can easily send emails that look legitimate from our email address, right? This is because DMARC will succeed if either SPF or DKIM succeed.
So I’m thinking. Either I need to be sure that that SaaS does verify email ownership before sending from that email address or maybe I just don’t use their SPF settings and just use DKIM.
What’s your take on that?